On 09/30/2017 09:10 PM, Sean Whitton wrote:
> On Sun, Oct 01 2017, Pirate Praveen wrote:
>> Packaging of rollup is stuck  and I can make progress with gitlab
>> package with node-d3-color in contrib. Quite a lot of work can happen
>> even with gitlab in contrib, like making sure everything is configured
>> correctly, making sure update from previous version is working, people
>> can test and report bugs while we are working on getting all
>> dependencies in main etc. If I simply wait for rollup to arrive in
>> main, I can't do any of those.
> Okay, I see how this would be useful -- thanks for the explanation.
> I am still very uneasy about serving our users -- even our users of
> Debian unstable -- with packages that are built using material pulled
> from the net. I think that people who add 'contrib' to their
> sources.list do not expect this kind of thing.
Ack. Wouldn't it be preferable to just include a copy of the prebuilt
node-d3-color "binary" alongside its actual source tarball and have
debian/rules just copy the prebuilt "binary" for now? That would
fulfill one of the widely accepted use cases for contrib (needs
something currently not in Debian to build, but is otherwise free
software - see e.g. the VirtualBox BIOS requiring a non-free
compiler) much closer than downloading stuff from the network.
I think that requiring network access during build is a big no-no in
general, regardless of where the software is sorted into. For
example it fails the dissident test. And it ensures that that what's
in the Debian source package is that what you actually get in the
end, not subject to the whim of server operators outside of Debian
during build time (which may be at any point as there are binNMUs).